Skip to main content Skip to footer 
Increase in Akira ransomware targeting SonicWall SSL VPN
In late July 2025, Arctic Wolf researchers observed an increase in Akira ransomware activity targeting SonicWall SSL VPN devices for initial access. The intrusions likely involved the exploitation of a zero-day vulnerability, with some fully patched devices also affected following credential rotation. The most recent increase in activity began as early as July 15th, 2025, although similar malicious VPN logins have been observed since at least October 2024. Users are advised to block a provided list of hosting-related ASNs and consider blocking their corresponding CIDR ranges for VPN authentication, while SonicWall has also since urged users of SonicWall Gen 7 firewalls to deactivate SSL VPN services.
Campaign leverages AiTM phishing kits, RFQ lures, and Microsoft OAuth impersonation
Since early 2025, Proofpoint researchers have observed activity clusters leveraging Microsoft OAuth application creation and redirects to malicious URLs to facilitate credential phishing. The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and DocuSign, and use multifactor authentication attacker-in-the-middle (AiTM) phishing kits, namely Tycoon 2FA and ODx. To date, email campaigns impersonating over 50 applications have been observed, with a small number of campaigns initiating follow-on activities in cloud threat data. The email messages are often sent from compromised accounts, leveraging request for quote (RFQ) lures and providing a URL leading to a Microsoft OAuth page for an application. The application requests user permissions, which redirects the user to a fake CAPTCHA page directing the user to a counterfeit Microsoft authentication page. A total of 3,000 user accounts across over 900 Microsoft 365 environments have been targeted under the campaign during 2025, displaying a 50% success rate. In late April 2025, the campaign shifted its operational infrastructure, with a United States-based data center hosting service replacing previously used Russia-based proxy services.
Phishing attacks target European organizations with RMM tools to gain remote access
Since November 2024, WithSecure researchers observed an increase in phishing attacks leveraging remote monitoring and management (RMM) tools embedded within PDF documents to target organizations, primarily in France and Luxembourg. The PDFs, often disguised as invoices or contracts, impersonate real employees, reference specific industries, and use direct download links generated by RMM vendors. Recent campaigns have also used malicious PDFs downloaded from Zendesk-hosted URLs. Observed RMM tools include FleetDeck, Action1, BlueTrait, OptiTune, Atera, Syncro, SuperOps, and ScreenConnect, with the tools selected based on their direct download availability and minimal setup requirements. When victims click the embedded link and run the installer, the RMM tool grants remote access, while one attack used ScreenConnect via a redirect URL instead of a download link. Metadata analysis revealed seven distinct author values, indicating the use of multiple phishing document generation tools, as well as the use of document editing platforms. The geographic targeting pattern suggests a Europe-based or Europe-focused threat actor with strong knowledge of local languages and business sectors
Suspected APT36 phishing campaign targets Indian defense organizations
CYFIRMA researchers identified a sophisticated campaign targeting Indian defense organizations and related government entities. The campaign involves the use of spoofed domains that impersonate official government platforms to steal credentials. The fake government login portals request both the victim’s password and Kavach-generated one-time-passwords to bypass multi-factor authentication. Analysis of the associated infrastructure revealed additional phishing campaign URLs that follow similar patterns, with each of the domains registered around the same time. One associated subdomain was found to be hosting content from the Pakistani IT services firm, Zah Computers. The researchers noted that the presence of Zah Computers may suggest a shared or compromised infrastructure, or potential direct involvement by actors operating from Pakistan. The observed tactics, including typosquatting domains and spoofed portals, are consistent with APT36 behavior.
PXA Stealer campaign rapidly evolves to evade detection
SentinelLabs and Beazley Security researchers discovered a new rapidly evolving infostealer campaign, active since late 2024, delivering the Python-based PXA Stealer. To date, over 4,000 unique victim IP addresses have been identified in exfiltrated logs, with at least 62 countries targeted, in particular South Korea, the United States, the Netherlands, Hungary, and Austria. The stolen data includes over 200,000 unique passwords, hundreds of credit card records, and over four million browser cookies. The campaign initially delivered LummaC2 and Rhadamanthys Stealer, before pivoting to Python-based payloads and incorporating more nuanced anti-analysis techniques, non-malicious decoy content, and a hardened C2 pipeline. The delivery mechanism has remained the same, leveraging DLL sideloading, legitimate signed software, and embedded ZIP archives disguised as common file types. Additional payloads are delivered via Dropbox, while stolen data is exfiltrated to the Sherlock Telegram Bot Service via automated bot networks. The campaign has been attributed to Vietnamese-speaking threat actors, who monetize the stolen data through a subscription-based underground ecosystem.
Ransomware
Shared secret: EDR killer in the kill chainSophos – Aug 06 2025Project AK47: Uncovering a Link to the SharePoint Vulnerability AttacksUnit 42 – Palo Alto Networks Blog – Aug 05 2025Palo Alto Networks investigating ransomware threat related to SharePoint exploitationCybersecurity Dive – Aug 01 2025INSIDE QILIN RANSOMWARE AFFILIATE PANELMedium Cybersecurity – Aug 01 2025Before ToolShell: Exploring Storm-2603’s Previous Ransomware OperationsCheckPoint – Research – Jul 31 2025Unmasking LockBit: A Deep Dive into DLL Sideloading and Masquerading TacticsSymantec Enterprise Blogs – Jul 31 2025
Financial Services
CTM360 spots Malicious ‘ClickTok’ Campaign Targeting TikTok Shop usersBleeping Computer – Aug 04 2025FinCEN Issues Notice on the Use of Convertible Virtual Currency Kiosks for Scam Payments and Other Illicit ActivityFinancial Crimes Enforcement Network – Aug 04 2025Android Malware Targets Indian Banking Users to Steal Financial Info and Mine CryptoMcAfee – Aug 04 2025How a hacker pulled off the largest Bitcoin hack in 2020, now worth $14bCrypto.News – Aug 04 2025Android Malware Targets Banking Users Through Discord ChannelsInfosecurity Today – Jul 31 2025
Geopolitics
Ukraine claims to have hacked secrets from Russia’s newest nuclear submarineBitdefender – Aug 06 2025CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons LuresThe Hacker News – Aug 06 2025From the Depths of the Shadows: IRGC and Hacker Collectives Of The 12-Day WarSecurityScorecard – Aug 05 2025Frozen in transit: Secret Blizzard’s AiTM campaign against diplomatsMicrosoft Security Blog – Jul 31 2025Ukrainian intelligence presents new evidence of Russia abducting Ukrainian childrenUkrayinska Pravda – Jul 30 2025
High Priority Vulnerabilities
| Name | Software | Base Score | Temp Score | |
|---|---|---|---|---|
| CVE-2025-54136 | Cursor | 7.2 | 4.5 | |
| Related: Cursor IDE: Persistent Code Execution via MCP Trust Bypass | ||||
| CVE-2025-54948 | Apex One | 9.8 | 9.4 | |
| Related: Trend Micro Confirms Active Exploitation of Critical Apex One Flaws in On-Premise Systems | ||||
| CVE-2025-21479 | Snapdragon Mobile | 8.6 | 7.5 | |
| Related: Multiple critical and high-severity flaw patched across Android devices | ||||
| CVE-2025-54782 | nest | 7.3 | 7.0 | |
| Related: Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape | ||||
| CVE-2024-23692 | HTTP File Server | 9.8 | 9.8 | |
| Related: Critical Rejetto HTTP File Server 2.x flaw exploited to deploy trojan malware and ransomware | ||||